This repo contains specific configuration files for better understanding of sysmon configuration on Linux systems.
You can activate following configuration files by:
sudo sysmon -c <xml_file>
As you know, SysmonForLinux is just released and supports limited events from sysmon. (ProcessCreate | FileCreateTime | NetworkConnect | ProcessTerminate | DriverLoad | ImageLoad | CreateRemoteThread | RawAccessRead | ProcessAccess | FileCreate | RegistryEvent | FileCreateStreamHash | PipeEvent | WmiEvent | DnsQuery | FileDelete | ClipboardChange | ProcessTampering | FileDeleteDetected)*, got (ServiceConfigurationChange )
According to SysmonForLinux tool, configuration file expecting only following events:
| ⚠ | ⚠ | ⚠ | ⚠ | ⚠ |
|---|---|---|---|---|
| ProcessCreate | FileCreateTime | NetworkConnect | ProcessTerminate | DriverLoad |
| ImageLoad | CreateRemoteThread | RawAccessRead | ProcessAccess | FileCreate |
| RegistryEvent | FileCreateStreamHash | PipeEvent | WmiEvent | DnsQuery |
| FileDelete | ClipboardChange | - | FileDeleteDetected | ProcessTampering |
⚠ But some of them still needs to be tested for Windows-Linux compatibility, I guess. ⚠
This event provides extended information about newly created processes.
All Description Fields:
| ⬇ | ⬇ | ⬇ | ⬇ | ⬇ |
|---|---|---|---|---|
| RuleName | UtcTime | ProcessGuid | ProcessId | Image |
| FileVersion | Description | Product | Company | OriginalFileName |
| CommandLine | CurrentDirectory | User | LogonGuid | LogonId |
| ParentProcessGuid | TerminalSessionId | IntegrityLevel | Hashes | ParentProcessId |
| - | ParentImage | - | ParentCommandLine | - |
Example default configuration file: processCreate.xml
This event logs TCP/UDP connections on the machine.
All Description Fields:
| ⬇ | ⬇ | ⬇ | ⬇ | ⬇ |
|---|---|---|---|---|
| RuleName | UtcTime | ProcessGuid | ProcessId | Image |
| User | Protocol | Initiated | SourceIsIpv6 | SourceIp |
| SourceHostname | SourcePort | SourcePortName | DestinationIsIpv6 | DestinationIp |
| - | DestinationHostname | DestinationPort | DestinationPortName | - |
Example default configuration file: networkConnections.xml
This event provides information about newly terminated processes.
All Description Fields:
| ⬇ | ⬇ | ⬇ | ⬇ | ⬇ |
|---|---|---|---|---|
| RuleName | UtcTime | ProcessGuid | ProcessId | Image |
Example default configuration file: processTerminate.xml
This event detects reading operations mostly used by malwares for data exfiltration.
All Description Fields:
| ⬇ | ⬇ | ⬇ | ⬇ | ⬇ |
|---|---|---|---|---|
| RuleName | UtcTime | ProcessGuid | ProcessId | Image |
Example default configuration file: rawAccessRead.xml
This event detects when a process is accessed by another process and returns extended information about that event. This description is useful when detecting hacking tools that need to access specific system processes.
All Description Fields:
| ⬇ | ⬇ | ⬇ | ⬇ | ⬇ |
|---|---|---|---|---|
| RuleName | UtcTime | SourceProcessGUID | SourceProcessId | SourceThreadId |
| SourceImage | TargetProcessGUID | TargetProcessId | TargetImage | GrantedAccess |
| - | - | CallTrace | - | - |
Example default configuration file: processAccess.xml
This event detects when file is created. This event can be useful when observing auto-startup folders, which are the favorite folder for malicious activites.
All Description Fields:
| ⬇ | ⬇ | ⬇ | ⬇ | ⬇ |
|---|---|---|---|---|
| RuleName | UtcTime | ProcessGuid | ProcessId | Image |
| - | TargetFilename | - | CreationUtcTime | - |
Example default configuration file: fileCreate.xml
This event detects when file is shredded or deleted.
All Description Fields:
| ⬇ | ⬇ | ⬇ | ⬇ | ⬇ |
|---|---|---|---|---|
| RuleName | UtcTime | ProcessGuid | ProcessId | User |
| Image | Hashes | - | IsExecutable | Archived |
Example default configuration file: fileDelete.xml
And logs are stored in /var/log/syslog by default (path cannot be edited yet 😑)
When I want to test something on my configuration files; I don't want to lost in huge log mess.
Therefore, I am disabling all other events.
For example, you can disable all ProcessTerminate events by:
<!-- Event ID 5 == ProcessTerminate. Do not log anything! -->
<RuleGroup name="" groupRelation="or">
<ProcessTerminate onmatch="include"/>
</RuleGroup>All other logs can be disabled with the use of 'include' nothing (example above).
all_disabled.xml gist:
This configuration can be used as a main template.
All events are disabled in this configuration file.
Can be edited for specific purposes.
only_ping.xml gist:
This configuration file only logs 'ping' actions.
Network Specifications (network_specifications.xml) gist:
You can limit your network connections by specifically logging them.
Example scenario:
- Allow only tcp and udp protocols.
- Allow only 80 and 443 ports.
It can be expressed as: (protocol:tcp || protocol:udp) && (port:80 || port:443)
Expression above should outcome as True.
Valid configuration for that purpose should contain:
<RuleGroup name="" groupRelation="and">
<NetworkConnect onmatch="exclude">
<Protocol condition="is">tcp</Protocol>
<Protocol condition="is">udp</Protocol>
<DestinationPort condition="is">80</DestinationPort>
<DestinationPort condition="is">443</DestinationPort>
</NetworkConnect>
</RuleGroup>groupRelation="and" is the critical part of that configuration.